Fraudulent transactions involving the most popular mobile wallets have been on the rise recently, and unfortunately Revolut is also heavily affected by this problem.
In a nutshell: The malicious software called Financial RAT can monitor the users’ computer, waiting for them to enter card details when making a purchase online. In addition, it also monitors whether the computer has SMS mirroring turned on, and if not, silently turns it on (to circumvent two-factor authentication). Last but not least, it keeps a log of when the user is typically inactive.
With the information obtained, card details, and SMS for two-factor authentication, fraudsters can easily add any Revolut card to an Apple or Google Pay wallet, and then make unlimited purchases from the available Revolut balance at some specific merchants on the darkweb. As the mobile wallets in question require a passcode or biometric identification for each transaction, Revolut’s fraud analysis system is much more lax in checking transactions made with Apple/Google Pay.
In contrast to some other financial service providers (e.g. Monese), Revolut does not send any other notification (via email or push) to the user other than the mentioned 2FA SMS after the card is added to an Apple/Google Pay wallet. In addition, Revolut cards cannot be set to a daily purchase limit, much to the delight of fraudsters.
Yes, that can be a safe solution in many cases, but what if you need to add a standard, non-single use card to any subscription service (like Netflix) or to PayPal, for example?
I think Revolut should send more extensive security notifications to its customers when a card is added to an Apple or Google Pay wallet.
case of damned if you do and damned if you don’t it seems.
There was a comment in another topic suggesting that notifications about account activity be disabled…
Not a good idea in my estimation. Notifications are soo important to maintain control of your account.
We discourage any use of RAT (remote access tools) to customers where I work (UK bank), as this sort of stuff is possible. Whether it be pc or mobile, we ask customers to reconsider having it on the same device as their banking app/logins.
Do I understand correctly that the malicious software called Financial RAT is installed on a PC / Desktop ? Or is software like this available in the Google and Apple stores for mobile devices ?
Remote Administration Tools are a very common tool for all kinds of fraud. Those spam emails telling you your Norton software is expired and you should renew it immediately often rely on it as well. Someone at some point convinces you to install it, during a phone call for example. Or it’s installed without your knowledge and you’re tricked into giving it access to your system. Many phone scams work with this. Team Viewer for example is a RAT tool. There are of course legitimate use cases for RAT, like remote support.
RAT tools are available for all desktop and mobile software platforms. But it’s easier to pull it off on desktop computers.
Remote Access Trojans are also called RAT. Trojans can be installed in a number of ways. Downloads, torrent files, email attachments … and also rely to some extend on the user to actively granting the software access. They might allow to change settings, monitor user behaviour, copy and delete files, access network resources, use the internet bandwidth for criminal activity. Desktops are historically more affected, but there are a number of known trojans for Android as well. Some banking apps on Android for example don’t allow screenshots because it’s a security risk.
Wow this is terrible. You shouldn’t be using SMS 2FA for adding cards to Google Wallet – that’s no way secure enough. At the least you should provide an option so that the Revolut account holder can turn off SMS 2FA for anything.
A serious security issue with popular mobile wallets like Apple Pay and Google Pay arises when they’re used for game downloads. These wallets typically store sensitive financial information, including credit card details, which could be compromised if the gaming platform lacks robust security measures. Hackers could exploit vulnerabilities in the gaming app to gain unauthorized access to users’ payment data, leading to fraudulent transactions or identity theft. To mitigate this risk, both mobile wallet providers and game developers must prioritize implementing stringent security protocols to safeguard users’ financial information and prevent potential breaches.
I don’t subscribe to gaming apps personally but as security with distance purchasing is an issue for you, have you considered using single use disposable cards in preference to Apple Pay and Google Pay?
Any online purchases I have made from merchants with whom I have little or no confidence or lasting relationship have been conducted thus and I have had no concerns with them thereafter.
You’re correct that merchants in that gaming category are higher risk, but not for the reasons you’re describing. Apple Pay / Google Pay does not forward or share any credit card details with merchants. Your credit card details are not shared with gaming platforms when using Apple Pay. There’s fraud in relation with Apple Pay, but data breach on the merchant side is not a concern. You can learn more about the technical details here: How Apple Pay Works Under the Hood
